Thycotic’s CyberSecurity Publication

POPULAR CATEGORIES

The 6 Most Disturbing Data Breaches In 2018 So Far

July 31st, 2018

SHARE THIS

Tags

You could argue that all cyber-attacks and data breaches are disturbing, and you wouldn’t be wrong. But all too often a cyber-incident comes along that hits a whole new level of intrusion or includes an unsettling component of cyber security neglect that causes us to raise our eyebrows higher than usual.

These data breaches stood out to me as being particularly disturbing

I’ve compiled a list of data breaches that stand out to me as being particularly disturbing. Most occurred in 2018, while others came to light in 2018 but were well underway before the affected organization discovered them, or finally confessed to them.

1. ExactisBefore June 27th 2018 most people were not familiar with the Florida-based firm Exactis. This is when we learned that the company left its database open to the public exposing nearly 340 millionindividual records, affecting about 230 millionUS consumers and 110 millionbusinesses. Exactis compiles and aggregates business and consumer data they collect from people who browse websites that use cookies.

At the time of writing the company had not yet confirmed the leak and the number of people affected is still an estimate, but the leaked data included an extraordinary depth of information that—in addition to phone numbers, home and email addresses, interests, and the number, age and gender of their children—may have included the victims’ personal habits, religions, and even pet ownership details. A first-class action lawsuit has been filed against Exactis.

Why is this breach disturbing?

The lack of responsibility demonstrated by the company: one of the largest collections of personal data was left unprotected by even the most basic cyber security measures.

The volume of people affected—we’re looking at pretty much every single US citizen.

The depth of information breached. It is alleged that up to 400 variables on victims’ characteristics were exposed, although financial information and social security numbers were not among them.

How do you protect yourself or reduce the risk from this sort of incident?Individuals: Short of staying offline there is no simple and convenient way protect yourself from this type of data leak, especially if you browse from multiple devices. This article offers a list of ways to browse the web anonymously.Organizations: Ensure that sensitive data follows a least privilege approach and that authorized access is always required to view such data. Further protect your sensitive data using a privileged account management solution that’s easy to use (to ensure adoption), and implement a least privilege policy to ensure individuals can access only the credentials they need to complete their task.

2. Under Armour / My Fitness Pay AppIn February 2018 Under Armour’s MyFitnessPal App experienced one of the biggest data breaches in history when an unauthorized party accessed the company’s data stash. The user names, email addresses and scrambled passwords of over 150,000,000 app users were stolen. The breach was discovered on March 25th and users were notified to change their passwords four days after that. The type of data that was breached is considered moderate and the breach was discovered relatively fast. Under Armour gets credit for hashing the passwords and processing credit card information separately, two actions that prevented this breach from spiraling to a whole new level of disastrous. To date, the entity behind this breach has not yet been identified.

Why is this breach disturbing?

The volume of users affected.This was, at the time, a record-breaking breach.

The type of information at risk. MyFitnessPal can collect precise data regarding the user’s performance, personal fitness records, health and location. As more people adopt wearable or mobile apps that record their most private data, the more there is to be gained by cyber criminals.

How do you protect yourself or reduce the risk from this sort of incident?Individuals: Limit damage by using a unique password for every website or application you access and manage them with a password manager. When you have a choice, allow apps access to only the information they need in order to operate.Organizations: The exact breach technique has not been confirmed by the company, so I can’t suggest a suitable means of protection.

3. Tesla
On June 14th a disgruntled Tesla employee admitted to hacking the company’s secret trade information and sharing the data with unnamed 3rd parties. A few days later Elon Musk sent an email to employees notifying them of the breach and requesting their cooperation and vigilance as Tesla moved forward with its investigation and subsequent lawsuit. As a groundbreaking tech company on the forefront of human innovation Tesla is no doubt braced for cyber-attacks. A variety of non-malicious hacks have revealed several of Tesla’s security vulnerabilities, but it’s this insider attack that set the company on edge.

Why is this breach disturbing?

It came from the inside, a vicious attack from within the ranks of the ‘trusted few’. Operating like extended families, companies choose their team members with great care, and a devastating attack like this not only forces a company to review its vetting process but also throws the trustworthiness of remaining team members into question. This is also concerning given the recent safety record with Tesla and whether they may be related.

The extent of the violation may remain forever unknown. This makes total damage control and repair almost impossible.

How do you protect yourself or reduce the risk from this sort of incident?Organizations: The precise nature of the hack is unknown, but it’s possible that implementing a least privilege policy could have reduced the risk of this threat, and a privileged account system with email alerts for Event Subscriptions could have alerted IT Admins of the malicious activity in real time.

4. My HeritageOn June 4th news broke that the My Heritage, a family tree-type website that offers a genealogy and DNA testing service, was breached, exposing the email addresses and hashed passwords of over 92 million registered users. The breach occurred in October 2017 but remained undiscovered until 9 months later when a security researcher told the company about a file he had found on a private server outside of MyHeritage. No DNA data was compromised. This time.

Why is this breach disturbing?

The volume of users affected.

The duration of the breach: 8 months passed before victims were notified to change their passwords. (It is not unusual for breach victims to receive the first news of a breach so long after the event that it’s too late for them to effectively react.)

The type of company involved. A company that stores the DNA of millions of human beings should have maximum security protections in place and up to date.

How do you protect yourself or reduce the risk from this sort of incident?Individuals: Use a different password for every account you have to prevent cyber criminals from easily accessing your other accounts.
DNA testing for future health predictions and ancestry reasons is a hot trend. Some websites even suggest you purchase DNA tests as gifts for friends and family. While no DNA data was accessed during this breach, seriously consider the pros and cons of having your DNA stored in an organization’s database before signing yourself or a companion up for this service.Organizations: We don’t know exactly how this data made its way to a 3rd party server but a comprehensive privileged account management system could have prevented data from being copied from MyHeritage without anyone’s knowledge.

IT Security should be easy. We’ll show you how.

In March 2018 news of the Facebook/Cambridge Analytica data incident broke in mainstream media: the personally identifiable information—or PII—of over 87 million Facebook users had been used to influence voter opinion. Cambridge Analytica, a British political consulting firm, obtained the PII in a manner that was considered inappropriate. Facebook users believed they were taking part in a survey for academic purposes, but Facebook’s design enabled an app to not only collect the personal information of the survey takers, but also that of all the ‘friends’ of those people. In this way Cambridge Analytica acquired data from millions of Facebook users.

Why is this breach disturbing?

The deception. Facebook users had no idea their PII was being collected during the survey.

The collateral damage. Friends of the survey-takers were also unknowing victims.

The breach of trust. While Facebook is no stranger to privacy violations the company had given users reason to believe it had cleaned up its act, but it had just lulled them into a false sense of security.

How do you protect yourself or reduce the risk from this sort of incident?Individuals: Limit the use social media. Seriously, that’s the only way. But if you must, set your security options to maximize your privacy. Don’t take ANY surveys on Facebook (not even the fun innocent looking ones that tell you which fiction character you look like, etc.). Don’t purchase products directly through Facebook, or by clicking on a Facebook link. Instead, visit the seller’s website directly. Read Thycotic’s Cybersecurity for Dummies to learn what other security controls you can take to reduce your risks.Organizations: Understand the addictive connection many of your employees have to social media and protect your network endpoints as if a breach was inevitable—it pretty much is. With a huge overlap between personal and business devices, phones and laptops it’s only a matter of time before an endpoint breach enables an intruder to access your company’s sensitive data. Also, read 5 Shocking Insights into the Social Network Habits of Security Professionals – it has a great infographic.

6. Health South East RHF, Aetna, BJC Healthcare, and other healthcare organizationsIn early January Health South East RHF, a healthcare organization that manages hospitals in Norway, revealed that the confidential health information of 56% of Norway’s overall population had been accessed by professional skilled cyber-criminals.

The organization is not alone in such major cyber incidents. Many others have joined the list of healthcare companies that suffered data breaches or cyber-attacks of some sort in 2018. Look at the number of individuals affected:

Added together patient data breaches from these and other cyber-attacks affect millions of people. Due to the number of employees in healthcare, the industry provides rich pickings. From wrongly configured servers and unsecured privileged accounts to phishing scams and emailing errors, healthcare organizations seem especially vulnerable to breaches.

Why are healthcare breaches so disturbing?

The nature of the data breached. Medical records contain the most private aspects of an individual’s life, and in the wrong hands could prove catastrophic.

The ease with which many healthcare organizations are breached. With so many unsavvy employees available to attack, cyber-criminals often make a successful intrusion with little more than a single convincing phishing email.

How do you protect yourself or reduce the risk from this sort of incident?Individuals: As a patient there’s nothing you can do to prevent your medical records (scans, xrays, test results, diagnoses, etc.) or PII from being compromised in a healthcare breach. However, you can try limit the information contained in your records. Don’t write your social security number on any form at a doctor’s office unless they insist that a treatment cannot proceed without it, and check your medical records for unnecessary or superfluous information.Organizations: Practice the highest level of privileged account management with an emphasis on least privilege. In an industry where such a large portion of employees have access to sensitive information it’s crucial to apply the appropriate privilege levels to anyone with access to the data.
Take your first step to implementing least privilege with our freeLeast Privilege Discovery Tool >
Also, implement a cyber security education program to teach employees how to recognize phishing emails or suspicious hyperlinks, and ensure they understand why they are vulnerable, what the cost of a breach is, and that cyber security is everybody’s responsibility.

So, do you feel disturbed?

You really should. These breaches are unnerving in many ways. Some disturbing characteristics that many cyber breaches have in common include:

the breach was discovered by someone other than the affected company, which means the actual company was not on top of its cyber security game.

the company confessed to the breach too late for anyone to react in time to limit the damage.

As long as all this data is being leaked in a piecemeal fashion we can come away from each breach saying “Well all they got way my username—my password was hashed” or “So they got my password, I’ll just change it”.

But what happens when cyber attackers create a clone of you?

But what happens one day when cyber attackers collaborate, and all this data gets collated into one comprehensive database, or they even create a clone of you? Suddenly a malicious actor knows your name, address, phone number, email, your dog’s name (it’s not your password too, right?), where you work, what you like on social media, what your credit card number is, and where your kids go to school. And maybe they also a have morsel of information that an insurance company would just love to know about you? See where I’m going?

Be cyber-aware and learn to protect yourself or your organization from the most disturbing of crimes. Get started by downloading Thycotic’s free eBook Cybersecurity for Dummies.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.